AuthN: Add session client (#60894)

* add basic session client

* populate UserToken in ReqContext

* token rotation as a post auth hook

* fixed in context handler

* add session token rotation

* add session token tests

* use namespacedID constructor

pkg/services/authn/authnimpl/service.go

@@ -9,6 +9,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/apikey"
+	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/authn"
 	sync "github.com/grafana/grafana/pkg/services/authn/authnimpl/usersync"
 	"github.com/grafana/grafana/pkg/services/authn/clients"
@@ -26,8 +27,11 @@ import (
 var _ authn.Service = new(Service)
 
 func ProvideService(
-	cfg *setting.Cfg, tracer tracing.Tracer, orgService org.Service, accessControlService accesscontrol.Service,
-	apikeyService apikey.Service, userService user.Service, loginAttempts loginattempt.Service, quotaService quota.Service,
+	cfg *setting.Cfg, tracer tracing.Tracer,
+	orgService org.Service, sessionService auth.UserTokenService,
+	accessControlService accesscontrol.Service,
+	apikeyService apikey.Service, userService user.Service,
+	loginAttempts loginattempt.Service, quotaService quota.Service,
 	authInfoService login.AuthInfoService, renderService rendering.Service,
 ) *Service {
 	s := &Service{
@@ -41,6 +45,10 @@ func ProvideService(
 	s.clients[authn.ClientRender] = clients.ProvideRender(userService, renderService)
 	s.clients[authn.ClientAPIKey] = clients.ProvideAPIKey(apikeyService, userService)
 
+	sessionClient := clients.ProvideSession(sessionService, userService, cfg.LoginCookieName, cfg.LoginMaxLifetime)
+	s.clients[authn.ClientSession] = sessionClient
+	s.RegisterPostAuthHook(sessionClient.RefreshTokenHook)
+
 	if s.cfg.AnonymousEnabled {
 		s.clients[authn.ClientAnonymous] = clients.ProvideAnonymous(cfg, orgService)
 	}
@@ -107,7 +115,7 @@ func (s *Service) Authenticate(ctx context.Context, client string, r *authn.Requ
 	params := c.ClientParams()
 
 	for _, hook := range s.postAuthHooks {
-		if err := hook(ctx, params, identity); err != nil {
+		if err := hook(ctx, params, identity, r); err != nil {
 			return nil, false, err
 		}
 	}

pkg/services/authn/authnimpl/usersync/orgsync.go

@@ -27,7 +27,8 @@ type OrgSync struct {
 	log log.Logger
 }
 
-func (s *OrgSync) SyncOrgUser(ctx context.Context, clientParams *authn.ClientParams, id *authn.Identity) error {
+func (s *OrgSync) SyncOrgUser(ctx context.Context,
+	clientParams *authn.ClientParams, id *authn.Identity, _ *authn.Request) error {
 	if !clientParams.SyncUser {
 		s.log.Debug("Not syncing org user", "auth_module", id.AuthModule, "auth_id", id.AuthID)
 		return nil

pkg/services/authn/authnimpl/usersync/orgsync_test.go

@@ -113,7 +113,7 @@ func TestOrgSync_SyncOrgUser(t *testing.T) {
 				accessControl: tt.fields.accessControl,
 				log:           tt.fields.log,
 			}
-			if err := s.SyncOrgUser(tt.args.ctx, tt.args.clientParams, tt.args.id); (err != nil) != tt.wantErr {
+			if err := s.SyncOrgUser(tt.args.ctx, tt.args.clientParams, tt.args.id, nil); (err != nil) != tt.wantErr {
 				t.Errorf("OrgSync.SyncOrgUser() error = %v, wantErr %v", err, tt.wantErr)
 			}
 

pkg/services/authn/authnimpl/usersync/usersync.go

@@ -25,7 +25,8 @@ type UserSync struct {
 }
 
 // SyncUser syncs a user with the database
-func (s *UserSync) SyncUser(ctx context.Context, clientParams *authn.ClientParams, id *authn.Identity) error {
+func (s *UserSync) SyncUser(ctx context.Context,
+	clientParams *authn.ClientParams, id *authn.Identity, _ *authn.Request) error {
 	if !clientParams.SyncUser {
 		s.log.Debug("Not syncing user", "auth_module", id.AuthModule, "auth_id", id.AuthID)
 		return nil

pkg/services/authn/authnimpl/usersync/usersync_test.go

@@ -430,7 +430,7 @@ func TestUserSync_SyncUser(t *testing.T) {
 				quotaService:    tt.fields.quotaService,
 				log:             tt.fields.log,
 			}
-			err := s.SyncUser(tt.args.ctx, tt.args.clientParams, tt.args.id)
+			err := s.SyncUser(tt.args.ctx, tt.args.clientParams, tt.args.id, nil)
 			if tt.wantErr {
 				require.Error(t, err)
 				return